PreparedStatement 和 Statement 的区别（推荐使用PreparedStatement）

PreparedStatement与Statement在使用时的区别：

1.Statement:

String sql=" ";

executeUpdate(sql)

2.

PreparedStatement:

String sql(可能存在占位符?)

在创建PreparedStatement 对象时，将sql预编译 prepareStatement(sql)

executeUpdate()

setXxx()替换占位符？

推荐使用PreparedStatement：原因如下：

　　1. 编码更加简便（避免了字符串的拼接）

String name = "zs" ;
int age = 23 ;

stmt:
String sql =" insert into student(stuno,stuname) values('"+name+"', "+age+" ) " ;
stmt.executeUpdate(sql);

pstmt:
String sql =" insert into student(stuno,stuname) values(?,?) " ;
pstmt = connection.prepareStatement(sql);//预编译SQL
pstmt.setString(1,name);
pstmt.setInt(2,age);

　　2. 提高性能(因为 有预编译操作，预编译只需要执行一次)

需要重复增加100条数

stmt://编译100次，执行100次
String sql =" insert into student(stuno,stuname) values('"+name+"', "+age+" ) " ;
for(100)
stmt.executeUpdate(sql);

pstmt://编译1次，执行100次
String sql =" insert into student(stuno,stuname) values(?,?) " ;
pstmt = connection.prepareStatement(sql);//预编译SQL
pstmt.setString(1,name);
pstmt.setInt(2,age);
for( 100){
pstmt.executeUpdate();
}

3.安全（可以有效防止 sql 注入）

sql 注入： 将客户输入的内容 和 开发人员的SQL语句 混为一体

stmt:存在被sql注入的风险

(例如输入 用户名：任意值 ' or 1=1 --

密码：任意值)

分析：

select count(*) from login where uname='任意值 ' or 1=1 --' and upwd ='任意值' ;

select count(*) from login where uname='任意值 ' or 1=1 ;

select count(*) from login ;


select count(*) from login where uname='"+name+"' and upwd ='"+pwd+"'

pstmt:有效防止sql注入

推荐使用PreparedStatement

代码对比

package jdbcproject;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class JDBCStatementDemo {
    private static final String URL = "jdbc:mysql://localhost:3306/mydatabase?serverTimezone=GMT%2B8";
    private static final String USERNAME = "root";
    private static final String PWD = "password";

    public static void update() throws ClassNotFoundException, SQLException {// 增删改
        // a. 导入驱动，加载具体的驱动类
        Class.forName("com.mysql.cj.jdbc.Driver");
        // b.与数据库建立连接
        Connection connection = DriverManager.getConnection(URL, USERNAME, PWD);
        // c.发送sql，执行增删改查
        Statement stmt = connection.createStatement();
        //增加  String sql = "insert into student values(2,'李四',21)";
        //修改  String sql = "update student set name='张三'  where id=1";
        //删除  
        String sql = "delete from student where id=1";
        int count = stmt.executeUpdate(sql);
        if (count > 0) {
            System.out.println("操作成功！");
        }
        stmt.close();
        connection.close();

    }
    public static void query() throws ClassNotFoundException, SQLException {// 增删改
        // a. 导入驱动，加载具体的驱动类
        Class.forName("com.mysql.cj.jdbc.Driver");
        // b.与数据库建立连接
        Connection connection = DriverManager.getConnection(URL, USERNAME, PWD);
        // c.发送sql，执行增删改[查]
        Statement stmt = connection.createStatement();
        char stuname='a';
        //模糊查询
        String sql = "select id,name,age from student where name like '%"+stuname+"%'";
        ResultSet rs=stmt.executeQuery(sql);
        //int count = stmt.executeUpdate(sql);
        while (rs.next()) {
            int id=rs.getInt("id");
            String name=rs.getString("name");
            int age=rs.getInt("age");
            System.out.println(id+"--"+name+"--"+age);
            
        }
        rs.close();
        stmt.close();
        connection.close();

    }
    public static void main(String[] args) throws ClassNotFoundException, SQLException {
//        update();
        query();
    }
}

package jdbcproject;

import java.lang.invoke.StringConcatFactory;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class JDBCPreparedStatementDemo {
    private static final String URL = "jdbc:mysql://localhost:3306/mydatabase?serverTimezone=GMT%2B8";
    private static final String USERNAME = "root";
    private static final String PWD = "password";

    public static void update() throws ClassNotFoundException, SQLException {// 增删改
        // a. 导入驱动，加载具体的驱动类
        Class.forName("com.mysql.cj.jdbc.Driver");
        // b.与数据库建立连接
        Connection connection = DriverManager.getConnection(URL, USERNAME, PWD);
        // c.发送sql，执行增删改查
        //sql提前写
        String sql="insert into student values(?,?,?)";
        PreparedStatement pstmt = connection.prepareStatement(sql);//预编译
        pstmt.setInt(1, 5);
        pstmt.setString(2, "超凡");
        pstmt.setInt(3, 21);
        
        //增加  String sql = "insert into student values(2,'李四',21)";
        //修改  String sql = "update student set name='张三'  where id=1";
        //删除  String sql = "delete from student where id=1";
        //这里括号不用再写sql
        int count = pstmt.executeUpdate();
        if (count > 0) {
            System.out.println("操作成功！");
        }
        //后开先关，先开的后关，和栈类似
        pstmt.close();
        connection.close();

    }
    public static void query() throws ClassNotFoundException, SQLException {// 增删改
        // a. 导入驱动，加载具体的驱动类
        Class.forName("com.mysql.cj.jdbc.Driver");
        // b.与数据库建立连接
        Connection connection = DriverManager.getConnection(URL, USERNAME, PWD);
        // c.发送sql，执行增删改[查]
        //sql提前写
        char stuname='a';
        String sql = "select * from student where name like ?";
        PreparedStatement pstmt = connection.prepareStatement(sql);
        pstmt.setString(1, "%g%");
        //模糊查询
        
        ResultSet rs=pstmt.executeQuery();
        //int count = stmt.executeUpdate(sql);
        while (rs.next()) {
            int id=rs.getInt("id");
            String name=rs.getString("name");
            int age=rs.getInt("age");
            System.out.println(id+"--"+name+"--"+age);
            
        }
        //后开先关，先开的后关，和栈类似
        rs.close();
        pstmt.close();
        connection.close();

    }
    public static void main(String[] args) throws ClassNotFoundException, SQLException {
//        update();
        query();
    }
}